Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use openssl under rhel6.3 to generate CA certificates and issue certificates. I hope you will get something after reading this article. Let's discuss it together.

1. Configure OPENSSL

[root@test1 /] # rpm-qa | grep openssl

Openssl-1.0.0-20.el6_2.5.i686

[root@test1 /] # cd / etc/pki/tls

[root@test1 tls] # ls

Cert.pem certs misc openssl.cnf private

[root@test1 tls] # vim openssl.cnf

#

[CA_default]

Dir = / etc/pki/CA # Where everything is kept (directory of the CA Center)

Certs = $dir/certs # Where the issued certs are kept (certificate storage directory)

Crl_dir = $dir/crl # Where the issued crl are kept (directory where the certificate was revoked)

Database = $dir/index.txt # database index file. (certificate index file)

# unique_subject = no # Set to 'no' to allow creation of

# several ctificates with same subject.

New_certs_dir = $dir/newcerts # default place for new certs. (backup directory of certificates signed by CA Center)

Certificate = $dir/my-ca.crt # The CA certificate (public key file name of CA)

Serial = $dir/serial # The current serial number (serial number of the certificate issued by the CA Center)

Crlnumber = $dir/crlnumber # the current crlnumber (certificate serial number revoked)

# must be commented out to leave a V1 CRL

Crl = $dir/my-ca.crl # The current CRL (Certificate revocation list)

Private_key = $dir/private/my-ca.key # The private key (CA private key file)

RANDFILE = $dir/private/.rand # private random number file

X509_extensions = usr_cert # The extentions to add to the cert

Default_days = 365 # how long to certify for (validity period of the certificate)

Default_crl_days= 30 # how long before next CRL

Default_md = default # use public key default MD

Preserve = no # keep passed DN ordering

[policy_match] # this is an option for certificate-related information. The entry specified by match requires that the signed certificate must be consistent with the corresponding entry of CA.

CountryName = match

StateOrProvinceName = match

OrganizationName = match

OrganizationalUnitName = optional

CommonName = supplied

EmailAddress = optional

#

[req_distinguished_name]

CountryName = Country Name (2 letter code)

CountryName_default = CN (country code needs to be modified by itself)

CountryName_min = 2

CountryName_max = 2

StateOrProvinceName = State or ProvinceName (full name)

StateOrProvinceName_default = Hebei (the name of the state or province needs to be changed)

LocalityName = Locality Name (eg, city)

LocalityName_default = Beijing (location name needs to be modified by yourself)

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Tianli Company (organization or company name needs to be changed by itself)

[root@test1 tls] # cd.. / CA/

[root@test1 CA] # ls

Certs crl newcerts private

Note: you need to have these directories. If you don't have them, you can create them yourself.

[root@test1 CA] # touch index.txt

[root@test1 CA] # echo "00" > serial

[root@test1 CA] # ls

Certs crl index.txt newcerts private serial

Second, the process of creating a key

Create a private key

[root@test1 CA] # (umask 077 / OpenSSL genrsa-out private/my-ca.key-des3 2048)

Generating RSA private key, 2048 bit long modulus

.. +

. +

E is 65537 (0x10001)

Enter pass phrase for private/my-ca.key:

Verifying-Enter pass phrase for private/my-ca.key:

Generate a public key from a private key

[root@test1 CA] # openssl req-new-x509-key private/my-ca.key-days 365 > my-ca.crt

Enter pass phrase for private/my-ca.key:

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]: CN

State or Province Name (full name) []: Hebei

Locality Name (eg, city) [Beijing]: Beijing

Organization Name (eg, company) [Default Company Ltd]: Tianli Company

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: test1

Email Address []:

[root@test1 CA] # ls

Certs crl index.txt my-ca.crt newcerts private serial

Third, client verifies CA service

On the host side (192.168.1.130):

[root@test1 CA] # yum-y install httpd

[root@test1 CA] # service httpd start

[root@test1 CA] # mkdir-p / var/www/html/yum

[root@test1 CA] # cp my-ca.crt / var/www/html/yum put the my-ca.crt, the public key, on the http server for others to download

Also on the client (192.168.1.117):

[root@test2 Desktop] # openssl genrsa 1024 > test2.key

Generating RSA private key, 1024 bit long modulus

. +

. +

E is 65537 (0x10001)

[root@test2 Desktop] # openssl req-new-key test2.key-out dovecot.csr

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [XX]: CN

State or Province Name (full name) []: Hebei

Locality Name (eg, city) [Default City]: Beijing

Organization Name (eg, company) [Default Company Ltd]: Tianli Company

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: test2

Email Address []:

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

[root@test2 Desktop] # scp dovecot.csr root@192.168.1.130:/root/

Root@192.168.1.130's password:

Dovecot.csr 100% 668 0.7KB/s 00:00

IV. The server issues the CA certificate

On the CA authentication server

[root@test1] # openssl ca-in dovecot.csr-out dovecot.cst

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan 22 10:44:36 2013 GMT

Not After: Jan 22 10:44:36 2014 GMT

Subject:

CountryName = CN

StateOrProvinceName = Hebei

OrganizationName = Tianli Company

CommonName = test2

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

56:69:58:12:67:C7:FC:9E:AC:70:1D:2A:2C:56:A4:E1:61:97:B2:23

X509v3 Authority Key Identifier:

Keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62

Certificate is to be certified until Jan 22 10:44:36 2014 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

Finally, it was issued successfully.

Add: two problems that are easy to arise in the process of issuing certificates

[root@test1] # openssl ca-in dovecot.csr-out dovecot.cst

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Unable to load number from / etc/pki/CA/serial

Error while loading serial number

3078239980:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

Prompt error while loading serial number, usually because the initial value is not assigned in the serial file

Solution.

[root@test1 ~] # cd / etc/pki/CA

[root@test1 CA] # echo "00" > serial

[root@test1 CA] # cat serial

00

There is another problem when signing CA, there is a failed to update database error at last.

[root@test1] # openssl ca-in dovecot.csr-out dovecot.crt

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Jan 23 02:23:39 2013 GMT

Not After: Jan 23 02:23:39 2014 GMT

Subject:

CountryName = CN

StateOrProvinceName = Hebei

OrganizationName = Tianli Company

CommonName = test2

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

96:86:28:B7:ED:2E:96:79:32:88:7E:C3:23:37:02:BC:43:1C:76:87

X509v3 Authority Key Identifier:

Keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62

Certificate is to be certified until Jan 23 02:23:39 2014 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

Certificate is to be certified until Jan 23 02:17:38 2014 GMT (days)

Sign the certificate? [y/n]: y

Failed to update database

TXT_DB error number 2

If you encounter this error, you just need to clear the contents of / etc/pki/CA/index.txt and then issue it.

Revoke the certificate:

[root@test1 ~] # openssl ca-revoke my-ca.crt

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Adding Entry with serial number B443BCCFCD08C1CD to DB for / C=CN/ST=Hebei/L=Beijing/O=Default Company Ltd/CN=test1

Revoking Certificate B443BCCFCD08C1CD.

Data Base Updated

Generate a list of revoked certificates

[root@test1] # openssl ca-gencrl-out my-ca.crl

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Unable to load number from / etc/pki/CA/crlnumber

Error while loading CRL number

3079087852:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

When error while loading CRL number appears, the solution is to assign a value to crlnumber

[root@test1 ~] # echo "00" > / etc/pki/CA/crlnumber

[root@test1] # openssl ca-gencrl-out my-ca.crl

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

[root@test1 ~] # ls

Anaconda-ks.cfg dovecot.csr install.log my-ca.crl Public

Dead.letter dovecot.cst install.log.syslog my-ca.crt Templates

Desktop dovecot.pem Music test2.key

Documents Downloads Pictures Videos

[root@test1 ~] # cat my-ca.crl

-BEGIN X509 CRL-

MIIB1DCBvQIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJDTjEOMAwGA1UE

CAwFSGViZWkxEDAOBgNVBAcMB0JlaWppbmcxHDAaBgNVBAoME0RlZmF1bHQgQ29t

CGFueSBMdGQxDjAMBgNVBAMMBXRlc3QxFw0xMzAxMjQwMzMyMzRaFw0xMzAyMjMw

MzMyMzRaMBwwGgIJALRDvM/NCMHNFw0xMzAxMjQwMzIzMDVaoA4wDDAKBgNVHRQE

AwIBADANBgkqhkiG9w0BAQUFAAOCAQEAhUevJlfn+W4VpX2SWn1RA9Y+qqEHB9i1

9rPSBDpC+NUpiKhF09n1eZRGqbInGQ+KVGxWF7iRAQ/znVV06wJiRU1i1/os3f9E

S2PiYYx8fltLOmaR027BhOB1ZO2mQmF/rvl+Soox+XH/YXD9T6wyD9STwm9jzFnD

IY86D+dgCRFCa3GWJyCFV1jr+79gY4q9rNV5Cmpozyxtz+szVgk8D+03X52KSg35

Ow7eCwK9W0rToq31+nR9+EQ3Cx7dUNrXftfzTCbFFhr87/b4w7iH+G9/3hfv91rt

ZLuEriAlumiLVNAVk4gU0VJImAbArCOewaNmarzG8N8U9KYAcAWITw==

-END X509 CRL-

After reading this article, I believe you have a certain understanding of "how to use openssl to generate CA certificates and issue certificates under rhel6.3". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.